0$ 



0 



(12) 



llllllllllllllllllllllllillllllllllllllllllllllllll 
, European Patent Office , 

Office europeen des brevets (1 1 ) EP0 848 314 A1 

EUROPEAN PATENT APPLICATION 

(51) Int. CI. 6 : G06F 1/00, G06F 12/14 



(43) Date of publication: 

17.06.1998 Bulletin 1998/25 

(21) Application number: 97306103.9 

(22) Date of filing: 11.08.1997 



(84) Designated Contracting States: 


(72) Inventors: 


AT BE CH DE DK ES Fl FR GB GR IE IT LI LU MC 


• McCollum, Tab 


NL PT SE 


Camden, Ohio 45311 (US) 




• Jury, Thomas W. 


(30) Priority: 11.12.1996 US 763917 


Beavercreek, Ohio 45440 (US) 


(71) Applicant: 


(74) Representative: 


NCR INTERNATIONAL INC. 


Irish, Vivien Elizabeth 


Dayton, Ohio 45479 (US) 


International IP Department, 




NCR Limited, 




206 Marylebone Road 




London NWi 6LY (GB) 



(54) Document security system and method 

(57) A server (A) has a database (12A) in which a 
number of documents are stored. The server (A) is 
accessible by many distant user terminals (20A..20N), 
for example via the internet. The documents may be in 
HTML form for distribution through the World Wide Web. 
Each document is assigned a security level and differ- 
ent documents may have different security levels on a 
document by document basis. The database (12A) 

FIG. 1 



12A — 



SERVER A 



DATABASE A 



CGI -A 



SERVER B 



DATABASE B 



CGI-B | 



_12B 



includes a table containing a user name, a password 
and a security level indicator. When a particular docu- 
ment is requested by a user terminal (20A) the security 
level of the user is determined from the table and 
access to the document is allowed only if the security 
level of the requesting user is as least as high as the 
security level of the requested document. 
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Description 



This invention relates to a document security system and method. It has application in the provision of a security 
database for HTML (hypertext markup language) documents in a World Wide Web application. 
5 With the increased number of internet users and the ease of accessibility of the World Wide Web, there is an 
increasing demand for the use of the Web as a vehicle for distributed applications. These distributed applications are 
composed of HTML documents and can be accessed by various Web browsers, such as Netscape Navigator or Micro- 
soft Internet Explorer. Hypertext links relate the documents to each other and give users a way to navigate from one file 
to another. 

10 These distributed applications require security to limit access to valid users. Currently, a typical approach to provid- 
ing security for HTML documents requires the server directory and subdirectories where the HTML documents are 
located to be secured at the same level. This means that an individual user can have access to all the documents in the 
directory or access to none of the documents in the directory based on an appropriate user id and password. Another 
drawback of this typical approach is that this approach depends upon the naming convention used for the subdirecto- 

15 ries and thus makes porting of the application (and all of the associated HTML documents) to another server difficult. 
It is an object of the invention to provide security of access to individual documents on a document-by-document 
basis. 

According to the invention in one aspect a document security system comprising a server in which a plurality of 
documents are stored for access by user terminals is characterised in that a database is provided in the server, which 
20 database has: means for storing user information; means for storing document information; and means for providing 
access to the stored documents document-by-document on the basis of the user information and the document infor- 
mation. 

The said means for storing user information may include means for storing a user identification name, an associ- 
ated user password and an associated security level indicator for indicating the highest level of security access for the 
25 user name associated therewith. , 

The said means for storing document information may include a file name, code means for creating a document 
associated with the file name and a security level indicator associated with the file name for indicating the security level 
of the associated document. 

The said means for providing access to stored documents may be included in a common gateway interface file. 
30 In carrying out the invention a plurality of different servers may be provided each having its own database and each 
having an internet connection to enable any of a plurality of user terminals to be connected to any of the servers. 

According to the invention in another aspect method of providing document security in an environment where a 
server stores a plurality of documents and the server is accessible by any of a plurality of user terminals comprising the 
steps of: assigning a security level to each document, assigning a security level to each user terminal, receiving a 
35 request at the server from a user terminal for access to a document, determining the security level assigned to the user 
terminal, comparing the determined security level with the security level assigned to the requested document, and pro- 
viding access to the requested document only if the result of the comparison step indicates that the security level of the 
said user terminal is at least as high as the security level assigned to the requested document. 

A plurality of servers may be provided in which case there may be included the step of locating the particular server 
40 in which the requested document is stored. 

In embodiments of the invention there may be included the step of associating a user identification name and a user 
password with the assigned user security level. 

The invention is readily applicable to providing security for HTML documents in a world wide web application. Such 
security is available to control user access to individual HTML documents or groups of documents. Furthermore the 
45 applications, or documents in an application, can be readily ported to other servers since the applications do not rely 
on directory structure to provide security! 

The invention will now be described by way of example with reference to the accompanying drawings, in which: 

Fig. 1 is a block diagram of a system of the present invention; 
so Fig. 2 is a block diagram of a User Table for use with the present invention; 

Figs. 3A and 3B are block diagrams of a File Table for use with the present invention; and 
Fig. 4 is a flowchart of the method of the present invention. 

A portion of the disclosure of this patent document contains material which is subject to copyright protection and to 
55 which a claim of copyright protection is made. The copyright owner has no objection to the facsimile reproduction by 
anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files 
or records, but otherwise reserves all copyrights and similar rights whatsoever. 

Referring now to the drawings, in which like-referenced characters indicate corresponding elements throughout the 



several views, attention is first drawn to Figure 1 which shows a block diagram of the system 1 0 for providing a security 
database for HTML documents in a WWW application. The system 10 includes a plurality of PCs 20A through 20N or 
other client terminals which have access to the Internet. PCs 20A through 20N include a web browser such as Net- 
scape Navigator or Microsoft Internet Explorer. PCs 20A through 20N also include an input device such as a keyboard 
or a mouse and other standard components such as memory, display, microprocessor, etc. 

The system 10 also includes a plurality of servers 12A through 12X or other large storage devices also connected 
to the Internet Each server 12A, 12B , ... 12N may include a database having specified files or the server may not ini- 
tially include a database at all such as 12X. The databases included may be any commonly available databases. Exam- 
ples include Access (available from Microsoft), Dbase (available for Ashton-Tate), etc. Each server 12A 12B 12N 
also includes a CGI (common gateway interface) script file (CGI-A, CGI-B, etc.) for passing '"formation from the PCs 
via the browsers to the servers and from the servers via the browsers to the PCs. The required CGI script f es can be 
built with just about any programming or scripting language (for example, C) that the users servers support The CGI 
code provides the interface with the server and passes and receives the information between the database in the server 
and the user terminal. A sample of CGI code is included at the end of this description. The sample CGI code also 
includes an invention-specific or customized module entitled "Module 2" which provides specific examples of code for 
checking security levels and granting access and downloading HTML files according to the present '"vention. 

In discussing Figs. 2, 3A and 3B, exemplary database A in server 12A will be described. This description applies 
to the other databases located in the other servers. Additionally, server 12X does not initially include a database. How- 
ever according to the present invention, any desired database from one of the other servers can be ported to server 
12X without the difficulties normally encountered when moving or copying a grouping of files from one server to another 
server when the files are located in the directory structure. 1Mre Tho 
Referring first to Fig. 2, database A includes a User Table 100 which is basically used to keep track of users. The 
User Table may include fields such as user name 110. user identification (id) 120. user password 130, user security 
level 1 40 and user group 150. Additional fields may be included or some of the above fields may be deleted as long as 
the User Table contains enough information to accurately identify a user requesting a document and prov.de the secu- 
rity level (or privileges) corresponding to that user. ..,.■_•» „, 4 , 

Referring next to Figs. 3A and 3B, database A also includes a Files Table 200 which is basically used to control 
access to individual HTML documents. The Files Table 200 may include fields such as security level 210, user group 
220 file name 230 and HTML code 240. Additional fields may be included or some of the above fields may be deleted 
as long as the Files Table contains enough information to accurately determine if a requested document is conta.ned in 
the database and whether a user requesting a document should be given access to the document If the user is given 
access, then the code (or file) in the HTML code field 240 is passed to the user (through the user's browser). To provide 
the HTML code field to the user, the customized CGI module passes the code (or file) to the user verbatim with the fol- 
lowing exception. In any hypertext links to other documents, referenced by (A HREF=f.lename> HTML tags, the specific 
file name is replaced with a reference to the customized CGI module and the file name is appended as a parameter. 
For example: 

(A HREF="filename" is replaced with 
<AHREF="invent.exe?Name=UserName&file=filename" 

In this way the customized CGI module can interact with the user's web browser and invoke the correct hypertext 
link to other files in the database. This process allows the passing of the file to the user to occur without any nofceable 
difference from a server with security protection for the entire server or subdirectory because the users inquiry for a 
specific HTML file calls the customized CGI module which handles the processing of the user s secunty level and user 
group and the f ile's required security level and user group. Thus, although the present invention provides lexfc.l.ty in 
allowing access to various documents on a server, the user interface is virtually the same as standard systems which 
do not provide varying security levels for documents on the same server or in the same directory. 

Fig 4 shows a flowchart of the method for providing a security database for HTML documerrts in WWW applica- 
tions. First in step 310, a user requests access to a file, preferably using a web browser Then , ,n step 320 u he web 
browser interactswith cgi script files in servers 12Athrough 12N until the desiredfile, which * embedded <na<Ud»« 
is located in a particular server. Alternatively, a user could request a list of all files located in a particular database and 
select a desired file from that list. Next in step 330, the cgi script file of the particular server uses the user id and the 
user password to determine the assigned security level and user group in the User Table 100 

Then in step 340, the cgi script file compares the user's security level and user group with those required in the 
Files Table 200 corresponding to the desired file. In step 350, it is determined whether the user has »• W^^"* 
level and user group to access the desired file. If yes, then in step 360. the information ,n the HTML Code f lett 240 of 
Files Table 200 is provided to the user's browser as described above. Thus the user is prov,ded a first document or web 
page If the user requests a different file in the same server then in step 370, the step of comparing the user s security 
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level and user group with those required in the Files Table 200 corresponding to the new desired file is performed. If the 
user does not request a different file in the same server then the process is ended in step 390. (Of course, If the user 
requests access to a file in another server, then the user's browser must interact with the cgi script files in all the servers 
until the desired file embedded in the database of the new server is located.) 

If a user requests access to a document and does not have the required security level and user group for the 
desired document, then the user is informed that access has been denied in step 380. Then the process ends in step 
390 

An advantage of the present invention is that user access to individual HTML documents (or groups of documents) 
can be determined and controlled. 

Another advantage of the present invention is that applications (or documents in an application) can be ported to 
other servers since the applications do not rely on the directory structure to provide security. Rather the documents are 

located in the database. . 

Although the invention has been described with the use of an example CGI script file and related customized mod- 
ule of the CGI file it is contemplated that any coding which provides the functions as discussed with respect to the 
above files is contemplated within the scope of the present invention. Additionally, although the program providing the 
fields has been described as a database, any program which can provide fields to be accessed and compared accord- 
ing to the description is contemplated within the scope of the present invention. 
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Proqram Name : invent . Exe 
Date: November 1996 

Author: Tab McCollum 

NCR Corporation 
Information Products 
Research and Development 

Programming Lanquaqe: Visual Basic. 4 
Proqram Sources Files: 

cgi32.bas 
dbsample .bas 
invent. vbp 

other files needed: 

dbl .mdb 

Program Purpose: This proqram can only be used in conjunction with 
a wrld wide web server that supports the windows cgi specif cation. 

This program provides a secure means of taking html' files that have 
Sen stored in the dbl. mdb database file in the files table and 
restricting access to them. 

The program first lists an index of the files available and allows the 
user to select a file name. At that time the user also inputs a 
user name and password which is then sent to the www server. 

The program then validates the user by password, security level and 
group level before the html file is displayed. 

security and group levels are required for both users and files 

Please note that this is all done within the database itself and does 
not rely on the security mechanisms of the web server. 

Notice: The author is not responsible for the data content that, is the 
result of using this program. 

The source code' in the CGI32.Bas file below is a freely distributed file. 
It is not covered by any copyright notices. 

MrSrce^oirirthe dbsample. bas file is copyrighted as described below 
Copyright NCR Corporation, all rights reserved 1996 



************* 

* CGI32.BAS * 
************* 

VERSION: 1.7 (December 3, 1995) 

AUTHOR: Robert B. Denny <rdenny@netcom. com> 

Common routines needed to establish a VB environment for 
Windows CGI programs that run behind the WebSite Server. 

INTRODUCTION 

The Common Gateway Interface . (CGI) version 1 1 specifies aminimal 
set of data that is made available to the back-end application by 
an HTTP (Web) server. It also specifies the details for Passing tms 



1 Framework 

specific to Unix : like environments. 



The NCSA httod for windows does 



DEVELOPMENT 

WebSite reauires any Windows back-end proqram to be an 
exec^abL^maqe. This means that you must co nje« vour VB 
application into an executable (.EXE) Derore it 
with the server. 

ENVIRONMENT 

The WebSite server executes script . requests by doinq a 
CreateProcess with a command line in the following form. . 

prog-name cgi-profile 
THE CGI PROFILE FILE 

rJs? inn ssjijs ^ e^i^i^w* 

names have been changed cosmetically. 

and [Fo™ huge] . They are described below: 



<== The standard CGI variables 
The version of CGI spoken by the server 
The server's info protocol (e.q. HTTP/ i.uj 
The method specified in the request (e.q.. GET) 
If the client requested connection re : use (Yes/No) 
Physical pathname of the back-end (this program) 
Extra path info in logical space 
Extra path info in local physical space 
errina followinq the "?" in the request URL 
Ml£™onEeirK5e of info supplied with request 
Lenqth bytes, of info supplied with request 
Bv?e-ranqe specfication received with request 
Version/revision of the info (HTTP) server 
s1rve?"s network hostname (or alias from config) 
Server's network port number . Anf . , 

E-Mail address of server's admin, (config) _ 
URL of referring document 
p-Maii of client user (rarely seen) 
Itrinq describing client/browser software/version 
Remote client's network hostname 



[CGI] 

CGI Version= 
Request Protocols 
Request Method= 
Request Keep-Alive= 
Executable Path= ■ 
Loqical Path= 
Physical Path= 
Query String= 
Content Type= 
Content Length= 
Request Ranqe= 
Server Software* 
Server Name= 
Server Port= 
Server Admin= 
Referer= 
From= 

User Aqent= 

lllllt Address- Remote client 'i network address 

Authenticated Username=Username if present in request 
AuSicated Password=Password if P«"^in request 
Authentication Method=Method used for authentication le.g. 
Authentication Realm=Name of realm for users/groups 

fAcceptl <== What the client says it can take 

The MIME types found in the request header as 

Accept: xxx/vyy; zzzz... 
are entered in this section as 

xxx/yyy= z z z z . . . 
If only the MIME type appears, the form is 

xxx/yyy= Yes 



"Basic": 



[System] 
GMT Offset= 
Output File= 
" rr -!-o^r File = 



<== Windows interface specifics , T /wn 
Offset of local timezone from GMT, seconds LONG 
Pathname of file to receive results r 
Pathname of file containing raw request cn.e... 



If server's CGI debug fiag is set (Yes/No) 



GI Framework - 3 
Debug Mode= 

S'-exKa-^aders found in the request that activated this 
Program. They are listed in »key*value« form Usually, you 11 see 
at least the name of the browser here as "User-agent . 

{PSe'reS was a POST go^MicJor*^ 
"application/x-www-form-urlencoded ) , ^ e „^_f r a 1 ue^ev=value&. . . " , 

(decoded) form in the [Form Literal] section of the INI. 
ir™e E decoded ] value string is more than 254 characters long 

tempfile and lists the field in this section as: 
wherr^IthSris'tnf Sath and name of the tempfile .containing 
the decoded value string, and <length> is the length in bytes 
of the decoded value string. 

NOTE- BE SURE TO OPEN THIS FILE IN BINARY MODE UNLESS YOU ARE 
CERTAIN THAT THE FORM DATA IS TEXT: 

if°™e F fom data contained any uploaded files, they are described in 

srffis anf H^f^^h^^ 

^^'^^^^^ 

<name> is the original file name of the uploaded file. 

if°^e H raw ] value string is more than 65 , 536 bytes long the server 
does no decoding. In this case, the server lists the field in this 
section as : 

wherHoflflfAs^fo-ffset from the beginning of the Content File 
a£ whicS'thf lvalue string for this key is located and <l*ngth> 
Tc rhP lpnath in bvtes of the raw value string. You can use cne 
<offs1t> to perform " "Seek" to . the start of the raw value string, 
and ule the !!£?h\S know when you have "ad the entire raw string 
into your decoder. Note that VB has a limit of 64K for strings, so 

Examples : 

[Form Literal] 

smallfield=123 Main St. #122 

iiS™300cha?SU:\website\cqi-tmp\la7fws.000 300 
iilldwithlinebreaks=c : \website\cgi-tmp\la7f ws .001 43 

f ield230K=c : \website\cgi-tmp\la7fws . 002 276920 



USAGE 



Include CGI32.BAS in your 



VB4 project. Set the project options for 



Th 0 M^ir!' 1 orocedurs 



this module, and it 
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w„„H-> oe *n nf rhe setuD of the VB CGI environment, as described 

handles all of the "tup 01 u Ma inO calls YOUR main procedure, 

above. Once all of ^is xs aone, cne ^ use Send ( , 

l^iS^to^t^SS^^Sli'is^^ and "huge" form fields 
have not been decoded. 

NOTE : If your program i» started without conjanj- line jrjj 

the code assumes you want to run interacti v ^v. ^ Main( ), 

user that the program is not meant to be run interactively. 
The samples furnished with the server do this. 

If a Visual Basic runtime error occurs, it will be t «5g d 0 S d c g sult 

TO MAINO. Don't just do an "End . 

Have a look at the stuff below to see what's what. 



Author- Robert B. Denny <rdenny@netcom. com> 
April .15. 1995 



jvision History: ... . „„„ ,__ f ,, b -j rm ras l 7) 
Si-igrSi rH Cna^ld lotTe inpuJInd^ul fills from profile 
02-Aug-95 rbd ^rver no longer produces long command line. 
74 Aua-9S rbd Mike call to GetPrivateProf ileStrmg conditional 
24 -Aug 95 rba ™ Ke ^ bit anQ 32 , bit versions supported. Fix 

computation of CGI GMTOffset for offsets (GMT) 
case. Add FieldPresent ( ) routine for checkbox 
handiina. Clean up comments. . 
29-Oct-95 rbd Added PlusToSpace ( ) and UnescapeO functions for 

decodina query strings, etc. . 

16-NOV-95 rbd AdTSep- alive variable file uploading description 

in comments, and upload display. 
20-Nov-95 rbd Fencepost error in ParseFileValue ( ) v , aT , / ,,._ 
20 Nov as roa £ Q Error Resume Next from error handler 

user-Lent is now a variable, real HTTP header 



23-NOV-95 rbd 



03-Dec-95 rbd User-Agent is now a vanauie, isai " Ai f\ 
oj uec ^ roa ^ Re guest-Ranqe as http header as well 

Option Explicit 



Manifest Constants 



*. mtvv nun-iacrc - fi 1 Max # of command line args 

c2K ^JM^wllzi I 4096 ■ Key enumeration buffer, see GetProfileO 

; ^^Th&VXo" ^ MaTTof "extra" request headers 

Conlt ACCTYPe" 100 ' Max # of Accept: types in request 

Const JSx FORM TUPLES = 100 ' Max # form key-value pairs 

„ Z JVV uttptt titpt f<? - 16 ' Max # "huqe" form fields 

Sit M^_?ILE_?UPLEi "= " ■ "ax # of uploaded file tuples 



Types 



Type Tuple 

key As String 
value As String 



• Used for Accept: and "extra" headers 

■ and for holding POST form key=value pairs 
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( ' 

Type FileTuple 

kev As Strinq 
file As Strinq 
lenqth As Lonq 
type As Strinq 
encodinq As Strinq 
name As String 

End TyP e 

Type HuqeTuple 

kev As Strinq 
offset As Lonq 
lenqth As Long 

End Type 



Global Constants 



Used for form-based file uploads 
Form field name . imlnarip[ , file 

Local -tempfile "'f 31 ™^?^ 6 '* flle 
Lenqth in bytes of uploaded file 

gK£.3&&t^ f tfJPlo*- file 
Original name of uploaded file 

Used for "huqe" form fields 
Kn°orfsK C ?nto ) Content File of value 
Length of value, bytes 



Error Codes 



Global 
Global 
Global 
Global 
Global 
Global 
Global 
Global 
Global 
Global 
Global 



Const ERR ARGCOUNT = 32767 
Const ERR BAD REQUEST = 32766 
Const ERR UNAUTHORIZED = 32765 
Conlt ERR PAYMENT REQUIRED = 32764 
Const ERR FORBIDDEN = 32763 
rnntt ERR NOT FOUND = 32762 
Conlt ERR INTERNAL ERROR = 32761 
Const ERR NOT IMPLEMENTED = 32760 
Const ERR TOO BUSY = 32758 
Const ERR NO FIELD = 32757 
Const CGI ERR_START = 32757 



HTTP 400 
HTTP 401 
HTTP 402 
HTTP 403 
HTTP 404 
HTTP 500 
HTTP 501 

HTTP 503 (experimental) 
GetxxxField "no field" 
Start of our errors 



CGI Global Variables 



Standard CGI variables 

Global CGI ServerSoftware As String 
Global CGI ServerName As String 
Global CGI ServerPort As Inteqer 
Global CGI RequestProtocol As String 
Global CGI ServerAdmin As String 
Global CGI Version As String 
riobal CGI RequestMethod As Strinq 
ilSbS CGI RequestKeepAlive As Integer 
GlSSl CGI LoqicalPath As String 
nobal CGI PhysicalPath As Strinq 
glSbSl CGI ExecutablePath As String 
GlXal CGI QueryStrinq As String 
Global CGI RequestRanqe As String 
Global CGI Referer As String 
Global CGI From As Strinq . 
Global CGI UserAqent As Strinq 
Global CGI RemoteHost As Strinq 
Global CGI RemoteAddr As String 
Global CGI AuthUser As String 
Global CGI AuthPass As Strinq 
Global CGI AuthType A f c S ^ r ^ ' 
Global CGI AuthRealm^AsJtrinq^ 
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Global CGI_ContentLength As Long 



HTTP Header Arrays 



Global CGI AcceptTypes(MAX ACCTYPE) As Tuple 

Global CGI NumAcceptTypes As Integer 

Global CGI ExtraHeaders (MAX XHDR) As Tuple 

Global CGI NumExtraHeaders As Integer 



POST Form Data 



Global CGI FormTuplestMAX FORM TUPLES 
Global CGI NumFormTuples As Integer 



As Tuple 



Accept : types 

# of live entries in array 
"Extra" headers 

# of live entries in array 



POST form key=value pairs 
# of live entries in array 



Global CGI NuraForaTupies as inceget HugeTuple ■ Form "huge tuples 

Global CGI HugeTuples (MAX HUGE TUPLES as Mugeiwx ^ entries in 



Global CGI NumHugeTuples As Integer 
Global CGI FileTuples(MAX FILE TUPLES 
Global CGI_NumFileTuples As Integer 



System Variables 



Global CGI GMTOffset As Variant 

Global CGI ContentFile As Strinq 

Global CGI OutputFile As String 

Global CGI_DebugMode As Integer 



# of live entries in array 
As FileTuple 1 File upload tuples 

' # of live entries in array 



GMT offset (time serial) 
Content/Input file pathname 
Output file pathname 
Script Tracing flag from server 



Windows API Declarations 

NOTE : Declaration of GetPrivateProfileString is specially done to 
permit enumeration of keys by passing NULL , key value See ^tfrot 
Both the 16-bit and 32-bit flavors are qiven below. We DO noi 
recommend using 16-bit VB4 with WebSite. 

Declarf Function GetPrivateProf ileString Lib "kernel 3 2" _ 

Alias "GetPrivateProf ileStringA" 

(BvVal lpApplicationName As String, _ 

BvVal lpKeyName As Any, 

ByVal lpDefault As Strinq, 

ByVal lpReturnedString As String, _ 

ByVal nSize As Long, 

ByVal lpFileName As String) As Long 

Secllre Function GetPrivateProf ileString Lib "Kernel" _ 
(ByVal IpSection As String, _ 

ByVal lpKeyName As Any, 

ByVal lpDefault As String, 

ByVal lpReturnedString As String, _ 

ByVal nSize As Integer, _ 

ByVal lpFileName As String) As Integer 
#End If 



Local Variables 

Dim CGI ProfileFile As Strinq 
Dim CGI OutputFN As Inteqer 
Dim ErrorString As String 



Profile file pathname 
Output file number 
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Re turn True/False depending on whether a form field present. 
K iC £&.3SS S-SSS.^ SSd X £ rc m the fon, content.^ 

Functlon'F^idPresentl^rAs'strlng.'As Integer 
Dim i As Integer 

■ Assume failure 

FieldPresent = False 

For i - 0 To (CGI NumFormTuples - 1) 



Exit Function 
End If 
Next i 

End Function 



** DONE ** 
• Exit with FieldPresent still False 
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ErrorHandlerO - Global error handler 



If a VB runtime error occurs tf^™^*^ 53SS' iSto 
^ C o5tput q ^rtLfexS^h^ program. 

xhis should he armed immediatelv on £^^ a ^&S ^ 
r^P/?:o^r e or r ^ S sssSe ^n rated int o the output^ x 1.. The^ 
iHt p? f S?-^1o^tS r StiiS"f? f l. co the client with no 
?SterSre?ation or other_header_parsinq 



Sub" ErrorHandler (code As Integer) 



o v »rn nnt-outFN 1 ' Rewind output file 

i e J% i "HTTP/1 0 50 6 Internal Error") 

ttni "Server " + CGI ServerSof tware) 

Ind «d£E " ♦ WebDate(Now), 

Send ("Content -type: text /html ) 

Send ( " " ) 

1SS ■ * CGI.ExecucaMePath 



just in case 



»</TITLE>") 
</Hl>") 



Send 
Send 

+ "ilnrt ("<PRE>" + ErrorStrinq + "</ pRE >"' rt oina when this problem occurred,") 

"lib »ss ff-'r^-^s.^^s ssi.^-si^ * 

llnd <»</A></BODYx/HTML>"> 
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Zlose #CGI_OutputFN 
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• End ■ Terminate/ the program 

End Sub 

i GetAcceptTypesO - Create the array of accept type structs 

i Enumerate the keys in the [Accept] section of the profile file. 

■ then qet the value for each of the keys. ^ _ 

I -■- --------- ~ ~ 

Private Sub GetAcceptTypesO 

SS i L iS t lS?e|5" n ? As integer, 1 As Integer, n As Integer 

sList = GetProfilel "Accept", --) ' Get kev^is^ trailinq null 

1 = Len(sList) , start at i s t character 

i = 1 • Index in arrav 

So = wSile T ( « i < 1) And (n < MAX ACCTYPE, , , ■ /af ety^top^ere 

i = InStrd, sList, Chr$(0 ) i i - i) ' Get Key, then value 

i = i * 1 • Bump array index 

n = n f 1 r ■> 

Loop . pill in global count 

CGI_NumAcceptTypes = n rxi 3 

End Sub 



GetArgsO - Parse the command line 

Private* Function'cetArgs (argv ( ) As String) As Integer 

SS i U L A !nteger q j As Integer, 1 As Integer, n As Integer 

' Get command line 

1 Length of command line 

' If empty , 

1 Return arg'c = 0 , 



buf = Trim$ (Command$) 

1 = Len(buf) 
If 1 = 0 Then 

GetArqs = 0 

Exit Function 
End If 

i = 1 

So = While ((i < 1) And (n < MAX CMDARGS) ) 
i = inStr(i, buf, " ") 
If -j = 0 Then Exit Do . 
argv(n) = Trim$ (Mid$ (buf , l, 1 - U > 

Do While Mid$(buf, i, D = " 
i = i + l 

Loop 

n = n + 1 
Loop 

arqv(n) = TrimS <Mid$ (buf . i. (1 - i ♦ » V i^cSSt 
GetArgs = n + 1 



• Start at 1st character 
' Index in argvec 

1 Safety stop here 
' j -> next space 
' Exit loop on last arg 

' Get this token, trim it 
' Skip that blank 
' Skip any additional whitespace 



Bump array index 



End Function 
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GetExcraHeaders ( ) - Create the array of extra header scructs 

Enumerate the keys in the [Extra Headers] section of the profile file, 
then qet the value for each of the _*evs^ _ 

Private Sub GetExtraHeaders ( ) 

StS i L is C Integer^ As Integer, 1 As Integer, n As Integer 

sList = GetProfile( "Extra Headers", "»> ; . railinq null 

1 = Len(sList) , start a t i s t character 

1 = ^ ■ Index in array 

kl ESSS2S ffi! li.V-^i^SSi^%«^«. 

(n) .key) . . Bump pointer 

i = ^ * I 1 Bump array index 



Loop . < pin in global count 

CGI NumExtraHeaders = n fU1 a 



End Sub 

GetFormTuplesO - Create the array of POST form input key=value pairs 

Private Sub GetFormTuplesO 

Dim sList As Strinq j„^ a „ 0 y 
Dim i As Inteqer, i As Inteqer, k As Inteqer 
6im 1 As integer /-m As Integer, n As Integer 
. Dim s As Lonq 
Dim buf As Strinq 
Dim extName As Strinq 

Dim extFile As Integer ~\ 
Dim extlen As Long 

' Index in array 

n = o 
i 

35 ■ do the easy one first: [Form Literal] 

sList = GetProfile( "Form -Literal", "") ; Get key.list ^ 
1 = Len(sList) , start at lst chara cter 

L-wiile < (i . 1) «J <« < M« FOKM TUPLES, , • here 

e v> . _ . > Bump pointer 

* " ^ l £ ' Bump array index 

Loop 

- Now do the external ones: [Form External] 

sList = GetProfile("Form External", "") ; ^V.list ^ 
1 = Len(sList) , start at lsC character 

Sf SniSe" < Iff il'And «n < MAX FORM TUPLES) , ■ Safety stop here 

i = InStrli, sList, Chr$(0)) J > next gu±i paC hname 

CGI FormTuples (n) .key = Mid$ (sList i, i -_ i) Get Key. tnen p 
buf = GetProf ile ' "Form External", CGI_FormTupies ■ n, . k-.. 
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k =InStr!buf. " ") ' s P lic f . ile * length 
extName = MidS (buf, l, k - 1) ' Patnname 

5 k = k - i 

extlen = CLng (MidS (buf , k, Len(buf) - k + l)) • Length 

' Use feature of GET to read content in one call 

Open extName For Binary Access Read As #extFile 
CGI FormTuples(n) .value = StrinqS (extlen, " ") ' Breathe in... 
10 Get #extFile, . CGI_FormTuples (n) .value 'GULP! 

Close #extFile 

i . ■) + i ' Bump pointer 

n = n + 1 ' Bump array index 

Loop 

CGI NumFormTuples = n ' Number of fields decoded 

15 n _ o ■ Reset counter 

1 Next, the [Form Huge] section. Will this ever get executed?, 

sList = GetProfileC'Form Huqe", "") ' Get key 'list 

1 = Len(sList) ' Lenqth incl . trailmq null 

i - 1 ' Start at 1st character 

20 Do while ((i < 1) And (n < MAX FORM TUPLES) ) ' Safety stop here 

i = InStrti, sList, Chr$(0>) ' J -> next null 

CGI HuqeTuples (n) .key = Mid$(sList, i, i - i) ' Get Key 
buf = GetProfileC'Form Huqe", CGI HuqeTuples (n) .key) / "offset length' 
k = InStrtbuf, " '!) ' Delimiter 

CGI HuqeTuples (n) -.off set = CLnq (Mid$ (buf , 1, (k - 1))) 
CGI HuqeTuples (n) .lenqth = CLnq (Mid$ (buf , k, (Len(buf) - k + 1))) 
25 i = i + 1 ' Bump pointer 

n = n + 1 ' Bump array index 

Loop 

CGI_NumHugeTuples = n 1 Fill in global count 

n = 0 ' Reset counter ^ 

30 , 

' Finally, the [Form File] section. 

sList = GetProfileC'Form File", "") 1 Get key list 

1 = Len(sList) ' Lenqth incl. trailing null 

i = 1 ' Start at 1st character 

Do While ((i < 1) And (n < MAX FILE TUPLES ) ) ' Safety stop here 
35 i = InStrti, sList, Chr$(0)) ' J -> next null 

CGI FileTuples (n) .key = Mid$(sList, i, i - i) .'. Get Key 
buf = GetProfileC'Form File", CGI FileTuples (n) .key) 
ParseFileValue buf, CGI FileTuples (n) ' Complicated, use Sub 
i = -j + 1 1 Bump pointer 

n = n + 1 ' Bump array index 

. Loop 
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CGI_NumFileTuples = n ' Fill in global count 

End Sub 

GetProfileO - Get a value or enumerate keys in CGI_Profile file 

Get a value qiven the section and kev, or enumerate keys qiven the 
section name and "" for the key. If enumeratinq, the list of keys for 
the qiven section is returned as a null -separated string, with a 
double null at the end. i/ 

VB handles this with flair! I couldn't believe my eves when I tried this. 

Private F'jnct.icn GetProf ile < sSection As String, sKey As String) As String 
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Dim retLen As Lonq 

Dim buf As String * ENUM_BUF_SIZE 

" 'StLen r G 2p?ivateProfileString(sSection. sKey, "". buf, ENUM_BUF_SIZE, 
CGI ProfileFile) 

E1Se retLen = GetPrivateProf ileStringtsSection, 0&. "". buf, ENUM_BUF_SIZE. C 
GI ProfileFile) 
End If 

If retLen = 0 Then 
GetProfile = "" 

Else 

GetProfile = Left$(buf, retLen) 
End If 



15 End Function 



• Get the value of a "small" form field given the key r 
■ Signals an error if field does not exist 

Function GetSmallField (key As String) As String 
Dim i As Integer 

For i = 0 To (CGI NumFormTuples - D 

If CGI FormTuples (i) .key = key Then 

GetSmallField = Trim$(CGI FormTuples d) .value) 
Exit Function ' ** DONE ** 

End If 
Next i 

' Field does not exist 

Error ERR_NO_F I E LD 
End Function 

InitializeCGI 0 - Fill in all of the CGI variables, etc. 

Read the profile file name from the command line, then fill in 
the CGI qlobals, the Accept type list and the Extra headers list^ 
Then open the input and output files. 

Returns True if OK, False if some sort of error. See f ReturnError() 
for info on how errors are handled. 

NOTE: Assumes that the CGI error handler has been armed with On Error ^ 
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Sub InitializeCGI ( ) 

Dim sect As String 

Dim arqc As Inteqer 

Static arqv(MAX CMDARGS) As String 

Dim buf As String 

CGI_DebugMode = True ' Initialization errors are very bad 

Parse the command line. We need the profile file name (duh!) 
-and the output file name NOW, so we can return any errors we 
trap. The error handler writes to the output file. 

arqc = GetArqs (arqv( ) ) 
CGI ProfileFile = argv(O) 
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CGI ServerSoftware = GetProf ile (sect , "Server Software") 
CGI S^rName = GetProf ile (sect, "Server Name") 
CGI SstProtocol = GetProf ile (sect, "Request Protocol") 
CGI ServerAdmin = GetProfile (sect, "Server Admin") 
^ vorcTon - GetProf ile ( sect , "CGI Version") 
CG S^Metnld*^ Reauest Method^) 

buf = GetProfile (sect. "Reauest Keep-live . _ N 
10 If (Left$(buf, 1) = "Y" ) Then Must starc wlcn 

CGI_RequestKeepAlive = True 

Else 

CGI_RequestKeepAlive = False 

CGI LoqicalPath = GetProf ile ( sect , "Logical Path") 
CGI PhvsicalPath = GetProf ile (sect, "Physical Path'') 

15 CGI ExecutablePath = GetProf ile ( sect , "Executable Path") 

CGI SrvStrinq = GetProf ile (sect, "Query String") 
CGI RemoteHost = GetProf ile (sect , "Remote Host") 
CGI KmoteAddr = GetProf ile (sect , "Remote Address" 
CGi KeStRanqe = GetProf ile (sect "Request Range") 
CGI Referer = GetProf ile (sect, "Referer") 

on CGI From = GetProf ile < ,; ect , "From") 

CGI UserAqent = GetProf ile (sect , "User Aqent") 
CGI AuthUsIr = GetProfile (sect, "Authenticated Username 
CGI AuthPals = GetProfile (sect, "Authenticated Password") 
CGI AuthRealm = GetProf ile (sect, "Authentication Realm 
CGI Au£hType = GetProf ile (sect, "Authentication Method") 
CGI ContentType = GetProf ile (sect , "Content Type") 

25 buf = GetProfile (sect, "Content Length ) 

If buf = "" Then > 
CGI_ContentLength = 0 _ 

Else 

CGI_ContentLength = CLng(buf) 

End If „ „„ . 

buf = GetProfile (sect, ^''Server Port ) 

30 if buf = "" Then 

CGI_ServerPort = -1 

Else 

CGI_ServerPort = Clnt(buf) 
End If 
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s^ct — "Svst.srn" 

CGI ContentFile = GetProf ile (sect, "Content File") 
CGI OutoutFile = GetProfile (sect, "Output File") 

gen°C§rSputmf For Output Access Write As #CGI_OutputFN ' 
buf = GetProfile (sect, "GMT Offset") , aqainst errors 

CGllGMTOffsI? = CVDate(Val(buf) / 86400#) ■ Timeserial GMT offset 
Else 

CGI_GMTOf f set = 0 

buf ^GetProfile (sect, "Debug Mode") ' Y or N 
If (Left$(buf, 1) = "Y") Then Must start with Y 

CGI_DebugMode = True 

45 Else 

CGI_DebugMode = False 
End If r 

rprarrentTvoes ' Enumerate Accept: types into tuples 

GPtExtrSladlrs ' Enumerate extra headers into tuples 

GetFormSpffl 1 Decode any POST form input into tuples 
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End Sub 
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mainO - CGI script back-end main procedure 

■ This is the main ( ) for the VB back end. Note carefullv how the error 
' handlinq is set up, and how proqram cleanup is done. If no command 
' line arqs are present, call Inter Maini) and exit. 

t _-.-----_---_-- - - 

Sub Main( ) 

On Error GoTo ErrorHandler 

If Trim$ (Command$) = "" Then ' Interactive start 
'MsqBox "Here" 

Inter Main > ' Call interactive main. 

Exit Sub ■ ' Exit the program 

End If 

' InitializeCGI ' Create the CGI environment 



CGI Main ■' Execute the actual "script" 



Cleanup: 

20 Close #CGI Output FN 

Exit Sub ' End the program 



ErrorHandler: 

Select Case Err ' Decode our "user defined" errors 

Case ERR NO • FIELD: 

ErrorString = "Unknown' form field" 
25 Case Else: 

ErrorString = Error$ ' Must be VB error 
End Select 

ErrorStrinq = ErrorStrinq & " (error #" & Err _ ")" 
On Error GoTo 0 ' Prevent recursion 

ErrorHandler (Err) ' Generate HTTP error result 

Resume Cleanup 



End Sub 



SendO - Shortcut for writing to output file 



Sub Send(s As Strinq) 

Print #CGI_OutputFN, s 
End Sub 



SendNoOpO - Tell browser to do nothing. 

Most browsers will do nothing. Netscape 1.0N leaves hourglass 
cursor until the mouse is waved around. Enhanced Mosaic 2.0 
oputs up an alert saying "URL leads nowhere" . Your results may 
' vary ... 



Sub SendNoOpO 

Send ("HTTP/1.0 204 No Response") 
Send ("Server: " + CGI_ServerSof tware) 
so Send ("") 

End Sub 
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• WebDate - Return an HTTP/ 1.0 compliant date/time string 

5 i incuts- t = Local time as VB Variant (e . q . , returned by Now , , i 
. Returns: Properly formatted^P/l.O^date/time^^GM. _ 

Function"webDate(dt As Variant) As String 
Dim t As Variant 

10 t = CVDateldt - CGI GMTOffset) ' Convert time to GMT 

WebDate = Formats (t, "ddd dd mmm yyyy * h :mm: ss" ) & GMT 

End Function 



15 

PlusToSpaceO - Remove plus-delimiters from HTTP-encoded string 

20 Public Sub plusToSpacels As String) 
Dim i As Integer 

i = l 

Do While True 

i = InStrli, s, "+") 
If i = 0 Then Exit Do 
25 MidSls, i) = " " 

Loop 

End Sub 
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UnescapeO - Convert HTTP-escaped string to normal form 

Public Function Unescape(s As String) 
Dim i As Integer, 1 As Integer 
Dim c As String 



If InStr(s, "%") = 
Unescape = s 
Exit Function 

End If 



0 Then ' Catch simple case 



1 x Len(s) 
Unescape = "" 

F ° r c = Mid$(s, i, 1) ' »ext character 

If c = "%" Then 

If Mid$(s, n i + 1, 1) = Then 

| ~_ x 1 Loop increments too 

45 Else , ,,, 

c - x2c(Mid$(s, i + 1, 2)) 

i = ' Lo °P increments too 

End If 
End If 

Unescape = Unescape & c 
Next i 
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End Function 
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' x2c() - Convert hex-escaped character to ASCII 



Private Function x2c(s As String) As- String 
Dim t As String 

t = "&H" Sc s 
x2c = Chr$ (CInt (t) ) 

End Function 

Private Sub ParseFileValue (buf As String, ByRef t As FileTuple) 
Dim i, j, k, 1 As Integer 

, 5 1 = Len(buf) 

i = InStr(buf, " ") ' First delimiter 

t.file = Mid$(buf, 1 , (i - 1) ) ' [file] 

t.file = Mid$ (t.file, 2, Len(t.file) - .2) ' file 

i = InStr((i + 1), buf, " ") ' Next delimiter 

20 t. length = CLng (Mid$ (buf , (i + 1), (j - i - ■ 1) ) ) 

i = i 

-j = InStr((i + 1), buf, " ") ' Next delimiter 

t.tvpe = Mid$(buf, (i + 1), < j - i - l > ■ 
i = j 

25 j = lnStr((i + 1), buf, " " ) ' Next delimiter 

t. encoding = Mid$(buf, (i + 1), (j - i - 1) ) 
i = j 

t.name = Mid$(buf, (i + 1), (1-i-D! 1 [name] 
t . name = Mid$ ( t . name , 2 , Len ( t . name i - 1 ) ' . name 

30 End Sub 



FindExtraHeaderO - Get the text from an "extra" header 

Given the extra header's name, return the stuff after the ":" 
or an empty string if not there. 



Public Function FindExtraHeader (key As String) As String 
Dim i As Integer 

For i = 0 To (CGI NumExtraHeaders - 1) 

If CGI ExtraHeaders (i) .key = key Then 

FindExtraHeader = Trim$(CGI ExtraHeaders (i) .value] 
Exit Function ' ** DONE *+ 

End If 
Next i 

' Nof present, return empty string 

FindExtraHeader = "" 
End Function 
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Mcauie2 - I 
Option Explicit 

Global Const SvstemTitle = "Invent 1.0" 
5 Dim sSelector As String 

Dim db As Database 
Dim gd As QueryDef 
Dim ds As Dynaset 

Dim FCCReguired As String, FCCConditions As String, FDARequired As String 



10 Function EnumerateQueryDef ( ) As Integer 

Dim MvQuery As QueryDef 
Dim i As Inteqer 

Set MvQuery = db . CreateQueryDef ( "This is a test") 
Debug. Print 

1 Enumerate QueryDef objects. 
Debug. Print 

75 For i = 0 To db. QueryDef s. Count - 1 

Debug. Print Str(i) & " >" & db. QueryDef s (i) .name 
Next i 
Debug. Print 

' Enumerate built-in properties of MyQuery. 
Debug. Print "MyQuery .Name : " ; MvQuery. name 
20 Debug. Print "MyQuery . DateCreated : "; MyQuery . DateCreated 

Debug. Print "MyQuery . LastUpdated : " ; MyQuery . LastUpdated 

Debug. Print "MvQuery . SQL : " ; MyQuery . SQL 

Debug. Print "MvQuery ; ODBCTimeout : " ; MyQuery .ODBCTimeout 
Debug. Print "MyQuery . Updatable : "; MvQuery . Updatable 
Debug. Print "MyQuery .Type : " ; MyQuerv.cvpe 
25 Debug. Print "MyQuery . Connect : " ; MyQuery . Connect 

/ Debug. Print "MyQuery .ReturnsRecords : " MyQuery . ReturnsRecords 

db .QueryDef s . Delete "This is a test" 
EnumerateQueryDef = True 
End Function 
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Sub CGI MainO 

Dim X As Inteqer 

sSelector = UCase$ (Mid$ (CGI_LogicalPath, 2)) ' Remove leading "/" 

Set db = OpenDatabase ( "c : \website\cgi-win\dbl .mdb" ) 
Send ( "Content -type : text /html") 
40 Send ("X-CGI-prog: NCR Secure HTML") 

Send ("<Body>") 
Send ("") 

Select Case UCase$ (CGI_RequestMethod) 
Case "GET" : 
DoGet 

45 Case "POST" : 

DoPost 

Send ("<H2>Cannot do & CGI_RequestMethod & """ method</H2>" ) 

■ End Select 
Send ("</Body>") 
db. Close 

50 

End Sub 

' Ask yourself : 
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whv did I use CGI ExecutablePath? 
Could I have used Snapshots here? 
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Sub DoGet I ; 

Dim LinkStart As Strinq 

Dim PreResulcs As Strinq, PostResults As String 
Dim Results As Snapshot, i As Inteqer 
LinkStart = "<A HREF=" " " & CGI_ExecutablePath 
Select Case sSelector 
Case "" 

'qet defined text from database 

Set Results = db.CreateSnapshot ( "select dirtinct [file name] fro 

m files") 

Send ("<BODY>") 

Send ("<Form method=post action=/cgi-v*in/invent . exe/getf ile>" ) 
Re su 1 1 s . MoveLas t 
Results .MoveFirst 

Send ("Select a file name from the list<br>") 
Send ( " < SELECT size=5 NAME= " "oriqin" " > " ) 
For i = 0 To Results . RecordCount - 1 

If Results! [file name] <> "index.htm" Then 
Send ("<OPTION>" & Results ! [file name]) 

End If 

Results. MoveNext 
Next i 

Send ( "</Select><br>" ; 
Results .Close 

Send ("You must enter a username and password to get access tc t 
hese files. <br>") 

Send ("<pre>") 

Send ("User name: <input tvpe=text name=username><br>" ) 
Send ("Password: <input tvpe=password name=password><br>" ) 
Send ("<INPUT TYPE=SUBMIT VALUE =" "Get File"" NAME="" submit" ">" ) 
Send ("</PRE></FORM><br>") 
Send ("</BODY>") 
Case Else: 

Send ("<H2>Bad GET selector ' & sSelector & """</H2>") 

End Select 



End Sub 



' Notes: 

' The real challenqe is error handlinq. Only the simplest is done here. 

' The database is defined to prevent duplicate student & class names 

1 The database is defined to enforce relational integrity • . 

Sub DoPostO 

Dim X As Inteqer 

D:m a As Inteqer, okerror As Integer 

Dim i As Inteqer 

Dim Results As Snapshot 

Dim FSecurity As Inteqer 

Dim usersecurity As Strinq, myuserqroup As String 
Dim username As Strinq, password As Strinq 
Dim filename As Strinq, FileSecurity As String 
Dim f ileuserqroup As Strinq, temp As String 
Dim GroupSecuritv As Inteqer 
Dim MyUserGroups ( ) As Strinq 
Dim FileUserGroups ( ) As Strinq 

On Error GoTo OnPostError ' We need to handle errors here 



ReDim MyUserGroups (100) 
ReDim FileUserGroups (100) 
FSecurity = False 

Select Case sSelector 
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Case "GETFILE" 

'qet username and password 
username = GetSmallField ( "username" ) 
password = GetSmallField i "password" ) 

Set Results = db.CreateSnaDshot ( "select * from users where [user 
id] = '" & username & "' and password = '" & password & "'") 
If Results. EOF Then 
Send ("<body>") 

Send ("<hl>User Name and Password Invalid</hl>" ) 
Send ("</body>") 

• Else 
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usersecuritv = UCase (Results ! security) 
myusergroup = Results ! [User Group] 

Results .Close 
'MsgBox myusergroup 

'qet filename 

filename = GetSmallField ( "origin" ) 
'get filename security 

Set Results = db .CreateSnapshot ( "select * from files where [File 
" & filename & "•") 

FileSecurity = UCase (Results : security) 
f ileusergroup = Results ! [User Group] 

'check usersecurity against filesecurity and if it is ok then co 

If (usersecurity = "HI" And (FileSecurity = "HI" Or FileSecurity 
Or FileSecurity = "LO")) Then 
FSecurity = True 

Else 

If (usersecurity = "MEDIUM" And (FileSecurity = "MEDIUM" Or 
FileSecurity = "LO")) Then 

FSecurity = True 

Else 

If {usersecurity = " LO" And FileSecurity = "LO") Then 

FSecurity = True 
End If 
End If 
End If 



Name] 



ntmue . 
= "MEDIUM" 
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If FSecurity = False Then 
Send ("<body>") 

Send ("You do not have the correct file security<br>" ) 
Send ("</body>") 

Else 
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'qet'qroup security for both the user and the file selected 

I _ _ _ 

'fill in myusergroup array 

a = 0 ' N 

For i = 1 To Len (myuserqroup) 

If Mid (myuserqroup, i, 1) = "," Then s_ 
MyUserGroups (a) = temp 
a = a + 1 
temp = "" 

Else 

temp = temp & Mid (myusergroup, i, 1) 
End If 
Next i ■ 
'qet last one 
MyUserGroups (a) = temp 
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:ai :■ Then 
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'fill in f ileusergrcup array 
temp = "" 
a = C 

For i = 1 To Len(f ileuserarouD) 

If Mid(f ileuserqroup, i, 1) = "." Then 
FileUserGroups 'a) = temp 
a = a ♦ l 
temp = "" 

Else 

temp = temp & Mid (f ileusergroup, i, 1] 
End If 
Next i 

•qet last one 
FileUserGroups (a) = temp 



'check group permissions, remember you are using arrays here 

For i = 0 To 100 

If MyUserGroups (i) <> "" Then 

For a - 0 To 100 

If FileUserGroups (a) <> "" Then 

If Val (MyUserGroups (i) ) = Val (FileUserGroups 



GrouDSecurity = True 
'msqbox "groupsecurity is true" 
Exit For 

25 Else 

a = a + 1 
End If 

Else 

Exit For 
End If 
Next a 



If GroupSecurity = True Then 

Exit For 
End If 

Else 

Exit For . 
End If 
Next i 



■done checkinq arrays . 
•send results if true send html for the file else get out wi 



If GroupSecurity = True Then 

Send (Results! html) 
Else 

Send ("<body>") . 
Send ("You do not belong to the correct Group, Sorry<br> 

") 

. Send ("</body>") 
45 End If 

Results .Close 
End If 
Send ("") 
End If 

CaSe Send e ("<H2>Bad POST selector """ i_sSelector & """</H2>"i 

50 
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DoPostFinish: ' Can .come here via error, 

' State of ds & ad unknown 

On Error Resume Next ' Make sure ds and qd are closed 

ds. Close ' else db. Close will fail and you lose 

qd. Close 

Exit Sub 
1 ExceDtion Handler 



15 OnPostError: 

If Err = ERR NO FIELD Then 

okerror = ERR_NO_FIELD 

Resume Next 
End If 
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If Err >= CGI_ERR_STAF. 1' Then Error Err ' Resignal if a CGI.BAS error 
Send ("<H2>There was a problem: </H2>" ) 

Send ("VB reports: <CODE>" & Errors & " (error «" & Err & " )< /C0DE><H3 >Best 
Guess:"! 

Select Case sSelector 

Case "ENROLL" : ' Probably a duplicate name (enforced by database) 

Send ("Already enrolled") 

Case "DISMISS": ' This is ugly, name came from dropbox 

Send ("?? This is ugly ??") 

Case "ADD " : 

Send ("Class already exists") 

Case "DEL" : 

Send ("?? This is ugly ??"> 

Case "CL4ST" : 

Send ("?? This is ugly ??") 

Case "ST4CL" 

Send ("?? This is ugly ??") 

Case "TAKE": 

Send ("Already taking this class") 

Case "DROP": 

Send ("Not in this class") 

Case Else: 

Send ("Programmer error: Unknown selector in POST exception handler. 

") 

End Select 
Send ("</H3>") 
Resume DoPostFinish 
End Sub 

Sub Inter_Main ( ) 
CGI Main 

MsqBox "This is a Windows CGI program" 
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Sub OptionList (FieldName As String, Tbl As String, Ccl As String. 

Send ("Select " & FieldName & ": <SELECT NAME=' & FieldName £ »■•«.,.•■, 

Set ds = db.CreateDynaset (Tbl! 
Do Until ds.EOF 

Send ("<0PTION>" & dsfCol!' 

ds . MoveNext 

Lood 
d s Ci. o s 

SencT<"</SELECT>") 
End Sub 



Public Function ConvertSpaces ( temp As String) 
End Function 

Public Function ConvertPlusSigns (temp As String) 
End Function 



Claims 

1 . A document security system comprising a server (1 2A) in which a plurality of documents are stored for access by 
user terminals (20A..20N) 

characterised in that 

a database (A) is provided in the server (12A), which database (A) has: means for storing user information 
(110,120,130,140,150); means for storing document information (210,220,230,240); and means for providing 
access to the stored documents document-by-document on the basis of the user information and the document 
information. 

2. The system according to claim 1 wherein the said means for storing user information includes means for storing a 
user identification name (1 1 0), an associated user password (1 30) and an associated security level indicator (1 40) 
for indicating the highest level of security access for the user name associated therewith. 

3. The system according to either one of the preceding claims wherein the said means for storing document informa- 
tion includes a file name (230), code means for creating a document (240) associated with the file name (230) and 
a security level indicator (210) associated with the file name (230) for indicating the security level of the associated 
document (230). 

4. The system according to any one of the preceding claims wherein the said means for providing access to stored 
documents is included in a common gateway interface file (CGI-A..CGI-N). 

5. The system according to any one of the preceding claims and comprising a plurality of different servers (12A..12N) 
each having its own database (A..N) and each having an internet connection to enable any of a plurality of user ter- 
minals (20A..20N) to be connected to any of the servers (12A..12N). 

j 

6. A method of providing document security in an environment where a server stores a plurality of documents and the 
server is accessible by any of a plurality of user terminals comprising the steps of: 



assigning a security level to each document, 



assigning a security level to each user terminal, 

receiving a request at the server from a user terminal for access to a document, 
determining the security level assigned to the user terminal, 

comparing the determined security level with the security level assigned to the requested document, and 
providing access to the requested document only if the result of the comparison step indicates that the security 
level of the said user terminal is at least as high as the security level assigned to the requested document. 

The method according to claim 6 wherein there are a plurality of servers and including the step of locating the par- 
ticular server in which the requested document is stored. 



The method according to claim 6 or claim 7 and including the step of associating a user identification name and a 
user password with the assigned user security level. 
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